Note: This is an archival copy of Security Sun Alert 200785 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com
as Sun Alert 1000601.1.

The Solaris Secure Shell daemon, sshd(1M), shipped with Solaris 9, is based on OpenSSH and is affected by a buffer management security vulnerability which may allow local or remote unprivileged users to execute arbitrary commands with the permissions of the sshd(1M) daemon or create a denial of service condition by corrupting the heap of the sshd(1M) daemon. The sshd(1M) daemon normally runs with "root" (uid 0) privileges.

Note: Solaris 8 and earlier releases did not ship with Solaris Secure Shell and therefore are not vulnerable.

Symptoms

There are no predictable symptoms that would indicate the above described issues have been exploited.

Workaround

Until patches can be installed for this issue, sites are advised to disable the sshd(1M) daemon on Solaris 9 systems. The following commands can be run as root to kill the existing sshd(1M) daemon and prevent it from starting up after future reboots: